Ethereal-dev: Re: [Ethereal-dev] parsing the whole dir using ethereal for the error checking

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>
Date: Fri, 27 Dec 2002 14:25:09 -0800
On Fri, Dec 27, 2002 at 12:13:53PM -0800, Nehal Shah wrote:
> I have a dir in which there r 100 .enc files (capture files). I do not want
> to look at each one on of those files and figure out whether each packet
> meets CRC PASS or not according to ethereal.

Well, first of all, note that Ethereal doesn't check Ethernet CRCs, so
if you want it to check *those*, you're out of luck.

It can check PPP CRCs, and some other CRCs, as well as some non-CRC
checksums such as IP, TCP, and UDP checksums.

> I would rather modify ethereal
> so when it has CRC error it tells me "Filename XXXX has YYYY CRC errors"
> etc. so I would be interested in doing something like.

One way to do this, *if* the particular protocol whose CRC or checksum
has a filterable field that specifies whether the checksum on a packet
was valid or not, e.g.  "ip.checksum_bad" which is a Boolean field whose
value is "true", i.e.  1, for IP packets with a bad cheader checksum,
would, at least on UNIX, be to do something such as

	tethereal -R "ip.checksum_bad == 1" -r {capture file} | wc -l

which would read the capture file whose name is "{capture file}"
(replace "{capture file}" with the name of a file), throwing away all
packets where "ip.checksum_bad" is *not* true, and writing out to the
standard output a summary line for other packets.  That gets piped to
"wc -l", which will report how many lines it read - i.e., how many
packets had "ip.checkum_bad" being true.

One could then do something in that directory such as

	for i in *.enc
	do
		bad_packets=`tethereal -R "ip.checksum_bad == 1" -r $i | wc -l`
		if [ $bad_packets -ne 0 ]
		then
			echo "File $i has $bad_packets bad IP checksums"
		fi
	done

If you are running on Windows, I would suggest installing Cygwin:

	http://sources.redhat.com/cygwin/

in which case you will probably

	1) have "wc" available when running under Cygwin

and

	2) be using the Bourne-again Shell, in which case a loop of that
	   sort will work.

(You will, of course, need to set your command search path in the shell
to find Tethereal.)